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1N THE CLAIMS 

Amended claims follow: 

1 . (Currently Amended) A method for detecting modifications to risk assessment scanning 
caused by an intermediate device, comprising: 

(a) initiating a risk assessment scan at and on a target, from a remote source utilizing a 
network; 

(b) determining whether the risk assessment scan at and on the target involves an 
intermediate device coupled between the target and the remote source; 

(c) receiving results of the risk assessment scan from the target utilizing the network; and 

(d) notifying an administrator if it is determined that the risk assessment scan at and on the 
target involves the intermediate device, wherein additional operations are carried out to 
improve a risk assessment at and on the target in view of the presence of the intermediate 
device coupled between the target and the remote source; 

wherein a plurality of procedures are utilized to determine whether the risk assessment 
scan involves the intermediate device; 

wherein at least one of the procedures includes transmitting a first request for content to 
the target utilizing the network, and transmitting a second request for a cached version of 
the content to the target utilizing the network . 

2. (Original) The method as recited in claim 1, wherein the intermediate device includes a 
router. 

3. (Cancelled) 

4. (Currently Amended) The method as recited in claim 1, wherein the at least one of the 
procedures includes determining a port list associated with the risk assessment scan. 
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5. (Original) The method as recited in claim 4, wherein the at least one of the procedures 
further includes determining whether a value of a flag is different for communication 
attempts using at least two ports on the port list, 

6. (Original) The method as recited in claim 5, wherein the flag includes an ip_ttl flag. 

7. (Original) The method as recited in claim 5, wherein the flag includes a tcp_win flag. 

8. (Original) The method as recited in claim 5, wherein the communications include 
connection attempts between the remote source and the target utilizing the network. 

9. (Original) The method as recited in claim 5, wherein the at least one of the procedures 
further includes indicating that the risk assessment scan involves the intermediate device 
if the value of the flag is different for the communication attempts using the at least two 
ports on the port list. 

10. (Cancelled) 

1 1 . (Currently Amended) The method as recited in claim [[10]]i, wherein the cached content 
is requested from the target utilizing a via tag, 

12. (Currently Amended) The method as recited in claim [[10]] i, wherein the at least one of 
the procedures further includes analyzing responses to the first and second requests. 

13. (Original) The method as recited in claim 1 2, wherein the at least one of the procedures 
further includes indicating that the risk assessment scan involves the intermediate device 
based on the analysis. 

1 4. (Original) The method as recited in claim 1 3, wherein the at least one of the procedures 
further includes indicating that the risk assessment scan involves the intermediate device 
if the responses to the requests are different. 
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15. (Currently Amended) The method as recited in claim 1 } wherein the at least one of the 
procedures includes transmitting a request without specifying a host header value. 

16. (Original) The method as recited in claim 15, wherein the at least one of the procedures 
further includes identifying an error message in response to the request, 

17. (Original) The method as recited in claim 16, wherein the at least one of the procedures 
includes indicating that the risk assessment scan involves the intermediate device if the 
response includes the error message, 

1 8. (Currently Amended) A computer program product for detecting modifications to risk 
assessment scanning caused by an intermediate device, comprising: 

(a) computer code for initiating a risk assessment scan at and on a target, ftom a remote 
source utilizing a network; 

(b) computer code for determining whether the risk assessment scan at and on the target 
involves an intermediate device coupled between the target and the remote source; 

(c) computer code for receiving results of the risk assessment scan from the target utilizing 
the network; and 

(d) computer code for notifying an administrator if it is determined that the risk assessment 
scan at and on the target involves the intermediate device; 

wherein additional operations are carried out to improve a risk assessment at and on the 
target in view of the presence of the intermediate device coupled between the target and 
the remote source; 

wherein a plurality of procedures are utilized to determine whether the risk assessment 
scan involves the intermediate device: 

wherein at least one of the procedures includes transmitting a first request for content to 
the target utilizing the network, and transmitting a second request for a cached version of 
the content to the target utilizing the network . 
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1 9. (Original) The computer program product as recited in claim 18, wherein the 
intermediate device includes a router. 

20. (Original) The computer program product as recited in claim 1 8, wherein the 
intermediate device includes a proxy server. 

21. (Cancelled) 

22. (Currently Amended) The computer program product as recited in claim 1 8, wherein the 
at least one of the procedures includes determining a port list associated with the risk 
assessment scan. 

23 . (Original) The computer program product as recited in claim 22, wherein the at least one 
of the procedures further includes determining whether a value of a flag is different for 
communication attempts using at least two ports on the port list 

24. (Original) The computer program product as recited in claim 23, wherein the flag 
includes an ip_itl flag. 

25. (Original) The computer program product as recited in claim 23, wherein the flag 
includes a tcp_win flag. 

26. (Original) The computer program product as recited in claim 23, wherein the 
communications include connection attempts between the remote source and the target 
utilizing the network. 

27. (Original) The computer program product as recited in claim 23, wherein the at least one 
of the procedures further includes indicating that the risk assessment scan involves the 
intermediate device if the value of the flag is different for the communication attempts 
using the at least two ports on the port list. 
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28. (Cancelled) 

29. (Currently Amended) The computer program product as recited in claim [[28]] 18, 
wherein the cached content is requested from the target utilizing a via tag. 

30. (Currently Amended) The computer program product as recited in claim [[28]] 18, 
wherein the at least one of the procedures further includes analyzing responses to the first 
and second requests. 

3 1 . (Original) The computer program product as recited in claim 30, wherein the at least one 
of the procedures further includes indicating that the risk assessment scan involves the 
intermediate device based on the analysis. 

32. (Original) The computer program product as recited in claim 3 1 , wherein the at least one 
of the procedures further includes indicating that the risk assessment scan involves the 
intermediate device if the responses to the requests are different. 

33. (Currently Amended) The computer program product as recited in claim 18, wherein the 
at least one of the procedures includes transmitting a request without specifying a host 
header value. 

34. (Original) The computer program product as recited in claim 33, wherein the at least one 
of the procedures further includes identifying an error message in response to the request, 

35. (Original) The computer program product as recited in claim 34 3 wherein the at least one 
of the procedures includes indicating that the risk assessment scan involves the 
intermediate device if the response includes the error message. 

36. (Currently Amended) A system for detecting modifications to risk assessment scanning 
caused by an intermediate device, comprising: 



PAGE 9/13 * RCVD AT 7/21/2006 7:27:34 PM [Eastern Daylight Time] * SVR:USPT0£FXRM/1 0 * DNIS:2738300 * CSID:4089714660 * DURATION (mm-ss):03-12 



JUL 21.2006 4:40PM Z I LKA-KOTAB, PC NO. 365 1 P. 10 

-7- 

(a) logic for initiating a risk assessment scan at and on a target, from a remote source 
utilizing a network; 

(b) logic for determining whether the risk assessment scan at and on the target involves an 
intermediate device coupled between the target and the remote source; 

(c) logic for receiving results of the risk assessment scan from the target utilizing the 
network; and 

(d) logic for notifying an administrator if it is determined that the risk assessment scan at and 
on the target involves the intermediate device; 

wherein additional operations are carried out to improve a risk assessment at and on the 
target in view of the presence of the intermediate device coupled between the target and 
the remote source; 

wherein a plurality of procedures are utilized to determine whether the risk assessment 
scan involves the intermediate device; 

wherein at least one of the procedures includes transmitting a first request for content to 
the target utilizing the network, and transmitting a_second request for a cached version of 
the content to the target utilizin g the network . 

37. (Currently Amended) A method for detecting modifications to risk assessment scanning 
caused by a proxy server, comprising: 

(a) initiating a risk assessment scan at and on a target, from a remote source utilizing a 
network; 

(b) executing a plurality of procedures to determine whether the risk assessment scan at and 
on the target involves a proxy server coupled between the target and the remote source; 

(c) said procedures utilizing a plurality of parameters selected from the group consisting of 
an ip_ttl flag, a lcp_win flag, a via tag, and a host header value; 

(d) receiving results of the risk assessment scan from the target utilizing the network; 

(e) flagging the results of the risk assessment scan if at least one of the procedures indicates 
that the risk assessment scan involves a proxy server coupled between the target and the 
remote source: and 

(f) notifying an administrator if the results of the risk assessment scan at and on the target 
are flagged; 
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wherein additional operations are carried out to improve a risk assessment at and on the 
target in view of the presence of the proxy server coupled between the target and the 
remote source; 

wherein the at least one of the procedures includes transmitting a first request for content 
to the target utilizing the network, and transmitting a second request for a cached version 
of the content to the target utilizing the network . 

3 8. (Currently Amended) A computer program product for detecting modifications to risk 
assessment scanning caused by a proxy server, comprising: 

(a) computer code for initiating a risk assessment scan at and on a target, from a remote 
source utilizing a network; 

(b) computer code for executing a plurality of procedures to determine whether the risk 
assessment scan at and on the target involves a proxy server coupled between the target 
and the remote source; 

(c) said procedures utilizing a plurality of parameters selected from the group consisting of 
an ip_ttl flag, a tcp_win flag, a via tag, and a host header value; 

(d) computer code for receiving results of the risk assessment scan from the target utilizing 
the network; 

(e) computer code for flagging the results of the risk assessment scan if at least one of the 
procedures indicates that the risk assessment scan involves a proxy server coupled 
between the target and the remote source; 

(f) computer code for notifying an administrator if the results of the risk assessment scan at 
and on the target are flagged; 

wherein additional operations are carried out to improve a risk assessment at and on the 
target in view of the presence of the proxy server coupled between the target and the 
remote source; 

wherein the at least one of the procedures includes transmitting a first request for content 
to the target utilizing the network, and transmitting a second request for a cached version 
of the content to the target utilizing the network . 
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39. (Original - Renumbered) The method as recited in claim 1, wherein the intermediate 
device includes a proxy server. 
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